Security Incidents mailing list archives
Re: "closed-port" backdoors
From: Joe Boyle <jboyle () PRIMARYKNOWLEDGE COM>
Date: Thu, 22 Mar 2001 13:11:35 -0500
In phrack magazine (issue 52), there is an article describing some techniques to weaken linux using LKMs, including complete source. One of the features of the module is to overload the socket system call so that whenever a packet is received using recvfrom(), the size of the packet is inspected. if it matches a magic size, a command is executed locally. so, it isnt exactly what you asked for but I believe it could be readily modified to do what you described. http://phrack.infonexus.com/search.phtml?view&article=p52-18 joe On Wed, 21 Mar 2001, Andreas Hasenack wrote:
Has somebody seen in the wild a type of backdoor where no ports are open until a specifig set of packets are sent to the machine? For example, the backdoor would only bind to port X if the machine receives SYN packets to three other ports in sequence. I've seen code to do this (and sorry if it's not new), but I haven't seen rootkits using it.
Current thread:
- "closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)